Introduction
In the modern times and more recently during the pandemic, data is becoming more and more valuable to tech giants. Many companies rely on data pools to dominate the market which results in these body corporates collecting extensive data. Search engines nowadays engage AI in order to save data related to customer preferences in order to efficiently cater to consumer needs. Data is seen as payment by Companies for certain digital services. Often consumers are not informed enough or have been left without much choice when it comes to revealing their private data to renderers of digital services. These actions are affecting privacy of the consumers of these companies. The issue of data privacy and competition law come together at this juncture. To further explain their relationship, a reference can be made to the report made by the Competition Commission of India (CCI) on the telecom sector in India[1]. The report studied the association between data privacy and competition law by labelling the use of data non-price competition. This indicated that data collected by a company from its consumers might be used by it to gain advantage over their competitors.
Recent Clashes between Data Privacy Protection and Competition Law
Dominant companies are immensely focused on becoming rich in data and this will result in competitive advantage and will ultimately lead to unfair impacts on smaller businesses which do not have access to equal amounts of data. These dominant companies will then merge, for example, the merge between Microsoft and Linkedin. This merger will result in result in both privacy and competition law concerns but even though it’s a combined problem, it will require specific data protection and competition regulation laws to be enacted and enforced.
On one hand, privacy in India is protected as a fundamental right under Article 21 of the Indian constitution after the judgement in Justice K.S Puttaswamy (Retd.) vs. Union of India[2] and on the other hand, the competition law, through the Competition Commission of India, takes up the responsibility to prevent business practices from having any adverse effect on competition and sustain positive competition in the market. It also takes into its purview protection of the consumers’ interest, which includes their privacy and in this regard, the commission has initiated probes in issues pertaining to entities such a Facebook, Whatsapp and Google. So, with this aspect in mind, any harm to data or privacy of consumers will be considered to have anti-competitive implications in India. Such implication will give rise to data privacy and competition concerns. One such instance was recently observed in, what is popularly known as the Whatsapp Case of 2021. This case deals with the updated terms of Whatsapp, a popular messaging application. The CCI, in March, 2021 had issued an order for investigation under Section 26 (1) of the Competition Act, 2002, in the suo moto case. This order was a result of Whatsapp updating its terms which indicated that the application would be capable of collecting and sharing of private data of its users with its parent company, Facebook. There was no option of voluntarily opting out from data sharing, on the end of the consumers. Hence, this action amounted to abuse of dominance under section 4 of the Competition Act, 2002. [3]
The result from the investigation, that is to be undertaken by the Director General under this order, is still pending. However, through this scenario, it has been revealed that India lacks a data protection law and a regulator authority for data protection. Even though the CCI succeeded in concluding that there has been a prima facie violation on the part of Whatsapp, it was an unnecessary and improper move as it revealed that India lacks a specialised data protection law and a data privacy regulating authority. The Personal Data Protection Bill, 2019 has not been enacted by the Indian government but it is a framework that addresses many vital aspects of ‘proper consent’ which could be effective in dealing with cases such as the one at hand. These cases are more inclined towards privacy policy than competition law and continued interjection in data privacy matters by competition regulatory authority might be questioned for lack of jurisdiction.
While on this context, we shall take a look at what is going in the global sphere. Germany’s lead data protection regulator banned Facebook from processing data collected from Whatsapp users. The updated privacy policy of the messaging application was found to abusive of its market power under Europe’s General Data Protection Regulations or GDPR. The GDPR has come into force in 2016, it has provisions under which consent from users for data processing, anonymizing data collected to prevent privacy breach, safely handling the transfer of data across border and some companies are also required to make of a data protection officer, in order to oversee compliance with GDPR. [4]The results, from the investigation undertaken by Ireland’s Data Protection Commission (DPC) to examine if Whatsapp had complied with the transparency obligation under GDPR with respect to the provision of information and the transparency of that information to both users and non-users of Whatsapp’s service, revealed that Sections 5(1)(a), 12,13 and 14 of GDPR were being violated. The DPC slammed Whatsapp with a fine of 225 million on the suggestion of the European Data Protection Board on September of 2021. [5] Similar to the GDPR, California, USA, came up with the California Privacy Act (CCPA), in June, 2018, that created a new private right of action in case of security breaches and potential statutory damages.
The ‘Notice and Choice’[6] approach to privacy regulation in some other countries is inspired by views on privacy from the USA, which allows individuals to determine their own data privacy destiny. This earned the approach the nickname of ‘privacy self-management.’ However, this approach is quiet redundant as this approach came into play during the 1970’s when private data were limited to fax machines, cabinet files and paper records but in modern times, much more is at risk with the involvement of digital mechanisms in every aspect of our lives. The economy, today, is much based on surveillance of private data in order to gain strong hold on the market which why provisions for strong checks and balances in both the competition law and data privacy protection sector is a need of the hour. Though right to privacy has been recognised as a basic human right by the UN Declaration of Human Rights, the decision by the US Ninth Circuit in the 2019 case of HiQ Labs, Inc. vs Linkedin Corp. [7]revealed that there are still instances wherein competition interest is put before data privacy concerns. In this case, Linkedin had gone ahead and terminated HiQ’s access to profile data on the grounds that HiQ was collecting personal data belonging to Linkedin users even though the users had expressly opted for a privacy setting phrased as ‘do not broadcast’ in relation to updates in their profiles. HiQ’s defence was that it could not survive without accessing data from Linkedin and that Linkedin’s move to block their access amounts to unfair competition. The Ninth Circuit’s decision in favour of HiQ is a violation of data privacy of the Linkedin profile holders who should have been able to afford privacy for their data, which they had opted to prohibit broadcasting of. Privacy should not come second to competition.
India’s Position in Comparison to the Global Scenario
Through the above instances we see that the global scenario is better equipped to deal with clear violations of data privacy than India. The lack of specialised data privacy laws leads to dependence on competition law to secure cases of data privacy breach. However, this remedy does not do complete justice to the aggrieved as remedies available under the competition law are more to do with keeping a check on market power dominance rather than solving privacy concerns. The other pieces of legislation that can be used for defence is the Information Technology Act, 2000 and provisions from certain other statutes that stand for this purpose but aren’t specific to data privacy protection. This exhibits the necessity for a specialised data privacy regulatory authority and specified data protection law in India for upcoming data privacy concerns in an era where technology is ever evolving. While it is definitely essential for competition law to encourage the involvement of more privacy-enhancing competitors than those which are centred around private data exploitation, it is still not a replacement for stringent and updated data privacy protection mechanisms.
Conclusion
To conclude, it may be stated that even though various countries across the world are equipped with data privacy protection laws and specialised regulatory authorities, they still need to update their laws to fit the changing times. While India needs to come up with sturdy laws to keep data privacy violations in check and an authority to essentially look into matters of data privacy concerns should be set up. Lastly, while maintaining healthy competition among companies is important, the protection of the citizens’ private data cannot be side tracked as secondary priority, thus, a well formulated legislative control over such matters should be introduced. The enforcement of the Personal Data Protection Bill, 2019 as an Act shall serve as the first step in the right direction, for India.
References:
[1] CCI’s Published Market Study on the Telecom Sector in India: Key Findings and Observations, Jan.22, 2021 available at http://cci.gov.in/sites/default/files/whats_newdocument/Market-Study-on-the-Telecom-Sector-In-India.pdf (accessed on Dec.06, 2021 at 10:15 PM)
[2] AIR 2017 SC 4161
[3] CCI’s order under Section 26(1) In Re. Updated Terms of Service and Privacy Policy for Whatsapp Users, Suo Moto Case No. 01 of 2021, dated March. 24, 2021 available at https://www.cci.gov.in/sites/default/files/SM01of2021_0.pdf (accessed on Dec. 06, 2021 at 11:22 PM)
[4] Saumya Tewari, New Rules to Regulate Social Media Spark Concern over Privacy, Mint, Feb. 27, 2021 at 12:33AM IST
[5] Data Protection Commission’s order In Re.Whatsapp Ireland Limited available at https://edpb.europa.eu/system/files/2021-09/dpc_final_decision_redacted_for_issue_to_edpb_01-09-21_en.pdf (accessed on Dec. 07,2021 at 6:15 PM)
[6] The OECD Privacy Framework, 2013 available at https://www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf
[7] 938 F.3d 985 (9th Cir. 2019)
0 Comments